BugBounty is a crowdsourcing cybersecurity solution. Organizations like Pentagon, Google, Yahoo, Microsoft, Pornhub, Netflix, MIT, etc many other organizations from small to big paying huge to hackers for finding security issues. According to CNBC & BBC, Hackers are making millions of dollars from this upgrowing industry.
A reward offered to a perform who identifies an error or vulnerability in a computer program or system.
‘The company boosts security by offering a bug bounty’
Sniper: It is an automated scanner that includes a lot of tools and automates your results. Yes, it takes a lot of time for the results as it passes your target through many tools and shows all its results in one place. I have sniper setup in my VPS and meanwhile, I check other things manually like web services, WAF, content discovery, etc.
Lazy Recon: It is an automate script written in bash which includes a lot of subdomain tools. You do not need to run each tool separately.
Burpsuite : Burpsuite is the most used tool which includes lot of features like scanning, fuzzing,bruteforcing,encoding-decoding etc.The main feature is intercepting the browser requests. Once you start playing with it, it will become your best friend.Also make sure you have JDK installed.
It comes with two versions Community and Pro.Free community version is enough for starting with it.
Content Discovery tools : I have number of tools in my mind like Wfuzz, dirbuster, gobuster etc, you can install it.
sudo apt install dirbuster
sudo apt install gobuster
sudo apt install wfuzz
Here, more than any tool it depends on your wordlist for good content discovering.
SecList:- Seclist has a collection of wordlists and really helpful in Blackbox Testing. As I said wordlist is more important here.Many contributors are contributing and updating this every week. So this is the best and widely use wordlist.
Download it from GitHub or you can install it through APT.
sudo apt install seclists
Nmap: Nmap is the network scanner and has the ability to discover hosts and services. It is old and still powerful.
Once I have subdomain list, I use :
sudo apt insall nmap
sudo nmap -iL subdomain.txt > nmap.txt
This will eventually take a lot of time but you won’t regret running it.Till then check other tool results or grab a cup of coffee.
Arjun: I mostly use Arjun when I am lazy enough to beautify the JS file and go through it manually. So it helps me to find parameters through the JS files.
OpenRelayMagic: This tool helps to find SMTP servers vulnerable to openrelay.
1. Check single target/domain list
2. Port 587 and 465 Implemented
Teh S3 Bucketeers: It is use for finding AWS open buckets.
Cloudflair: CloudFlair is a tool to find origin servers of websites protected by Cloudflare who are publicly exposed and don’t restrict network access to the Cloudflare. Most of the websites are Cloudflare connected for an extra layer of security so this tool will help you to find the origin IP.
Tip: Most of these aggressive tools get detects by the WAF (Web Application Firewall) and lead you to false results. So you can always use random-agent option which you can find in most of the tools or use TOR for not ending up in false positives.
Thus we conclude the list of tools that I mostly use while I am into BlackBox pentesting. Let me know if you want me to add any other tools.